[Zope] Security Assertions
Godefroid Chapelle
gotcha@swing.be
Thu, 17 Jan 2002 14:10:21 +0100
At 18:43 16/01/2002, you wrote:
Sorry about cross-posting but I think the following info is worth reading
for both zope-users and developers.
>Note that up until Zope 2.5.0b4 there is a bug in the way module security
>assertions are handled that makes it impossible to declare more than one
>assertion without overwriting a previous assertion. It's not really a
>"security hole", it's just annoying and clearly broken. I'd suggest that
>you complain about this (or do it yourself) if you think a monkeypatch is
>in order for Zope 2.3/2.4.
I went to CVS and read AccessControl.SecurityInfo.py
The code looked simple enough that I would take no risk by including it
even if my understanding of the inner-working of Zope is still elementary.
The following patch works to correct the problem for Zope 2.3.3. It does
not seem to cause any other problem.
# patch taken from Zope 2.5
from string import rfind # 1.5.2 syntax
def ModuleSecurityInfo(module_name=None):
if module_name is not None:
modsec = _moduleSecurity.get(module_name, None)
if modsec is not None:
return modsec
dot = rfind(module_name, '.') # 1.5.2 syntax
if dot > 0:
# If the module is in a package, recursively make sure
# there are security declarations for the package steps
# leading to the module
modname = module_name[dot + 1:]
pmodsec = ModuleSecurityInfo(module_name[:dot])
if not pmodsec.names.has_key(modname):
pmodsec.declarePublic(modname)
return _ModuleSecurityInfo(module_name)
class _ModuleSecurityInfo(SecurityInfo):
"""Encapsulate security information for modules."""
in place of
class ModuleSecurityInfo(SecurityInfo):
"""Encapsulate security information for modules."""
I do not know what you mean by a 'monkeypatch' but it is certainly worth it
to add the patch to 2.3.x and 2.4.x branches.
>Godefroid Chapelle wrote:
>
>> > Casey Duncan wrote:
>> >
>> > > So the following things don't work:
>> > >
>> > > from Products.Formulator.Form import FormValidationError
>> >
>> > Either Martijn or you need to add the following lines to a Product
>> > __init__.py somewhere:
>> >
>> > from AccessControl import ModuleSecurityInfo
>> > ModuleSecurityInfo('Products').declarePublic('Formulator')
>> > ModuleSecurityInfo('Products.Formulator').declarePublic('Form')
>> >
>> ModuleSecurityInfo('Products.Formulator.Form').declarePublic('FormValidationError')
>>
>> >
>> > Cheers,
>> >
>> > Evan @ Zope
>>
>>I added the above code in the corresponding __init__.py on my machine.
>>Which works almost perfectly...:
>>Further, I needed to be able to import :
>>from Products.gvibDA.gvib.gvibExceptions import IntegrityError
>>
>>So I added the following code in gvibDA's __init__.py
>>from Products.PythonScripts.Utility import allow_module, allow_class
>>from AccessControl import ModuleSecurityInfo, ClassSecurityInfo
>>from Globals import InitializeClass
>>ModuleSecurityInfo('Products').declarePublic('gvibDA')
>>ModuleSecurityInfo('Products.gvibDA').declarePublic('gvib')
>>ModuleSecurityInfo('Products.gvibDA.gvib').declarePublic('gvibExceptions')
>>ModuleSecurityInfo('Products.gvibDA.gvib.gvibExceptions').declarePublic('IntegrityError')
>>
>>from gvib.gvibExceptions import IntegrityError
>>allow_class(IntegrityError)
>>
>>I get an 'Unauthorized: Formulator' error when accessing a script
>>beginning with
>>from Products.Formulator.Form import FormValidationError
>>from Products.gvibDA.gvib.gvibExceptions import IntegrityError
>>
>>I suppose it has something to do with the creation of two instances of
>>ModuleSecurityInfo('Products') but have no idea how to correct the problem.
>>Any help would be appreciated.
>>
>>--
>>
>>Godefroid Chapelle
>>BubbleNet sprl
>>rue Victor Horta, 18 / 202
>>1348 Louvain-la-Neuve
>>Belgium
>>Tel + 32 (10) 459901
>>Mob + 32 (477) 363942
>>TVA 467 093 008
>>RC Niv 49849
>>
>>_______________________________________________
>>Zope maillist - Zope@zope.org
>>http://lists.zope.org/mailman/listinfo/zope
>>** No cross posts or HTML encoding! **
>>(Related lists - http://lists.zope.org/mailman/listinfo/zope-announce
>>http://lists.zope.org/mailman/listinfo/zope-dev )
>
>
--
Godefroid Chapelle
BubbleNet sprl
rue Victor Horta, 18 / 202
1348 Louvain-la-Neuve
Belgium
Tel + 32 (10) 459901
Mob + 32 (477) 363942
TVA 467 093 008
RC Niv 49849